generateKeys.sh

   1 #!/bin/sh
   2 # this script generates a set of sample keys
   3 DOMAIN="cacert.local"
   4 KEYSIZE=4096
   5 PRIVATEPW="changeit"
   6
   7 [ -f config ] && . ./config
   8
   9
  10 rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl
  11
  12
  13 ####### create various extensions files for the various certificate types ######
  14 cat <<TESTCA > ca.cnf
  15 basicConstraints = CA:true
  16 subjectKeyIdentifier = hash
  17 keyUsage = keyCertSign, cRLSign
  18 crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl
  19 authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt
  20 TESTCA
  21
  22 cat <<TESTCA > subca.cnf
  23 basicConstraints = CA:true
  24 subjectKeyIdentifier = hash
  25 keyUsage = keyCertSign, cRLSign
  26 crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl
  27 authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt
  28 TESTCA
  29
  30 cat <<TESTCA > req.cnf
  31 basicConstraints = critical,CA:false
  32 keyUsage = keyEncipherment, digitalSignature
  33 extendedKeyUsage=serverAuth
  34 subjectKeyIdentifier = hash
  35 authorityKeyIdentifier = keyid:always,issuer:always
  36 #crlDistributionPoints=URI:http://www.my.host/ca.crl
  37 #authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
  38 TESTCA
  39
  40 cat <<TESTCA > reqClient.cnf
  41 basicConstraints = critical,CA:false
  42 keyUsage = keyEncipherment, digitalSignature
  43 extendedKeyUsage=clientAuth
  44 subjectKeyIdentifier = hash
  45 authorityKeyIdentifier = keyid:always,issuer:always
  46 #crlDistributionPoints=URI:http://www.my.host/ca.crl
  47 #authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
  48 TESTCA
  49
  50 cat <<TESTCA > reqMail.cnf
  51 basicConstraints = critical,CA:false
  52 keyUsage = keyEncipherment, digitalSignature
  53 extendedKeyUsage=emailProtection
  54 subjectKeyIdentifier = hash
  55 authorityKeyIdentifier = keyid:always,issuer:always
  56 #crlDistributionPoints=URI:http://www.my.host/ca.crl
  57 #authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
  58 TESTCA
  59
  60 genKey(){ #subj, internalName
  61     openssl genrsa -out $2.key ${KEYSIZE}
  62     openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
  63
  64 }
  65
  66 genca(){ #subj, internalName
  67     mkdir $2.ca
  68
  69     genKey "$1" "$2.ca/key"
  70
  71     mkdir $2.ca/newcerts
  72     echo 01 > $2.ca/serial
  73     touch $2.ca/db
  74     echo unique_subject = no >$2.ca/db.attr
  75
  76 }
  77
  78 caSign(){ # csr,ca,config
  79     cd $2.ca
  80     openssl ca -cert key.crt -keyfile key.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3
  81     cd ..
  82 }
  83
  84 rootSign(){ # csr
  85     caSign "$1.ca/key" root subca.cnf
  86 }
  87
  88 genTimeCA(){ #csr,ca,
  89     cat <<TESTCA > timesubca.cnf
  90 basicConstraints = CA:true
  91 subjectKeyIdentifier = hash
  92 keyUsage = keyCertSign, cRLSign
  93 crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$2.crl
  94 authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$2.crt
  95 TESTCA
  96     caSign $1 $2 timesubca.cnf
  97     rm timesubca.cnf
  98 }
  99
 100 genserver(){ #key, subject, config
 101     openssl genrsa -out $1.key ${KEYSIZE}
 102     openssl req -new -key $1.key -out $1.csr -subj "$2"
 103     caSign $1 env15_1 "$3"
 104
 105     openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12
 106
 107 }
 108
 109
 110 # Generate the super Root CA
 111 genca "/CN=Cacert-gigi testCA" root
 112 openssl x509 -req -days 365 -in root.ca/key.csr -signkey root.ca/key.key -out root.ca/key.crt -extfile ca.cnf
 113
 114 # generate the various sub-CAs
 115 genca "/CN=Environment" env
 116 rootSign env
 117 genca "/CN=Unassured" unassured
 118 rootSign unassured
 119 genca "/CN=Assured" assured
 120 rootSign assured
 121 genca "/CN=Codesigning" codesign
 122 rootSign codesign
 123 genca "/CN=Orga" orga
 124 rootSign orga
 125 genca "/CN=Orga sign" orgaSign
 126 rootSign orgaSign
 127
 128 genca "/CN=Environment 2015-1" env15_1
 129 genTimeCA env15_1.ca/key env
 130 genKey "/CN=Unassured 2015-1" unassured15_1
 131 genTimeCA unassured15_1 unassured
 132
 133 cat env15_1.ca/key.crt env.ca/key.crt root.ca/key.crt > env.chain.crt
 134
 135 # generate environment-keys specific to gigi.
 136 # first the server keys
 137 genserver www "/CN=www.${DOMAIN}" req.cnf
 138 genserver secure "/CN=secure.${DOMAIN}" req.cnf
 139 genserver static "/CN=static.${DOMAIN}" req.cnf
 140 genserver api "/CN=api.${DOMAIN}" req.cnf
 141
 142 # then the email signing key
 143 genserver mail "/emailAddress=support@${DOMAIN}" reqMail.cnf
 144
 145 # then environment-keys for cassiopeia
 146 genserver signer_client "/CN=CAcert signer handler 1" reqClient.cnf
 147 genserver signer_server "/CN=CAcert signer 1" req.cnf
 148
 149 rm ca.cnf subca.cnf req.cnf reqMail.cnf reqClient.cnf
 150
 151 for local in www secure static api signer_client signer_server mail; do
 152   openssl verify -CAfile root.ca/key.crt -untrusted env.chain.crt $local.crt
 153 done
 154 rm env.chain.crt